image
A pair of bugs in the Kubernetes open-source cloud container software can be “highly dangerous” under some Kubernetes configurations, according to researchers. The flaws, CVE-2019-16276 and CVE-2019-11253, have been patched in Kubernetes builds 1.14.8, 1.15.5 and 1.16.2. Exploitation of the first issue, CVE-2019-16276, is “very simple,” according to Ariel Zelivansky and Aviv Sasson at Palo Alto Networks – and could allow an attacker to bypass authentication controls to access a container. According to the bug report, the high-severity flaw, is a HTTP protocol violation in the Go language’s standard HTTP library, which is called net/http. The library is used for parsing HTTP requests. This issue arises because in the HTTP specification, no whitespace is allowed in the request headers. The Palo Alto researchers noted in a posting on Wednesday that “HTTP requests are comprised of a field-name, followed by a colon, then its value…no whitespace is allowed between the header’s field-name and colon….the net/http library interpreted headers with this whitespace the same as valid headers, in violation of the HTTP RFC.” The real-world effect of the bug becomes clear when you consider that the Kubernetes API server can be used for authentication and access control – as Palo Alto researchers pointed out, it can be “configured to work with an Authenticating Proxy and identify users through request headers.” Source: Palo Alto Networks Thanks to the bug, the proxy could ignore invalid…

Source

image
Cybercrime forums have been abuzz this week over news that BriansClub — one of the underground's largest shops for stolen credit and debit cards — has been hacked, and its inventory of 26 million cards shared with security contacts in the banking industry. Now it appears this brazen heist may have been the result of one of BriansClub's longtime competitors trying to knock out a rival. And advertisement for BriansClub that for years has used my name and likeness to peddle stolen cards. Last month, KrebsOnSecurity was contacted by an anonymous source who said he had the full database of 26M cards stolen from BriansClub, a carding site that has long used this author's name and likeness in its advertising. The stolen database included cards added to the site between mid-2015 and August 2019. This was a major event in the underground, as experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards on the black market today. The purloined database revealed BriansClub sold roughly 9.1 million stolen credit cards, earning the site and its resellers a cool $126 million in sales over four years. In response to questions from KrebsOnSecurity, the administrator of BriansClub acknowledged that the data center serving his site had been hacked earlier in the year (BriansClub claims this happened in February), but insisted that all of the cards stolen by the hacker had been removed from BriansClub store inventories. However, as I…

Source

image
Just the thought of ransomware is enough to keep CISOs and security teams up at night. Victims are caught in an awful choice between paying a ransom to a criminal who may or may not release their captured network and data, or potentially spending millions of dollars to remove the ransomware on their own. According to one recent report, the cost for a single ransomware incident averages about $713,000 when you figure in the costs of paying the ransom along with related losses, such as down time, the value of any lost data or hardware, the expense of improving your infrastructure, and the time and money required to repair your brand image. This number can also increase exponentially the longer that critical systems remain offline. And, those costs are likely to rise. In a recent attack this year, for example, attackers demanded a payment of 13 Bitcoin (over $75,000) for each computer affected by the attack so users could regain access to their files – far above the normal ransom demand, which previously was just under $13,000. You Do Not Have to Be a Victim Because of the financial success of ransomware, it continues to attract cybercriminals, who either launch large-scale attacks that seek to suck in careless victims or who carefully plan highly focused attacks aimed at specific targets that are most likely to pay up. Even less technical criminals are jumping on the bandwagon through a growing number of ransomware-as-a-service portals available on the Dark Web. Regardless of…

Source

image
Silent Librarian is targeting university students in full force with a revamped phishing campaign. The threat group, aiming to steal student login credentials, is using new tricks that bring more credibility to its phishing emails and helping it avoid detection. The threat group (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl for credentials since the start of the 2019 school year in September, launching low-volume, highly-targeted, socially engineered emails that eventually trick students into handing over their login credentials. But more recent campaigns show the cyberattackers using shortened URL links in their phishing emails, which make it more difficult to detect that victims are being redirected to an attacker-hosted landing page. The attackers have also revamped their landing pages with new university-specific banners, based on weather alerts or emergency notifications, to make them look more authentic. “The changes in URL shorteners, linking and hosting practices described here make detection of TA407’s activities increasingly difficult for defenders and demonstrate the adaptability and innovation that have enabled this threat actor to drive billions of dollars in losses in terms of intellectual property theft and resale of stolen journal subscriptions,” said Proofpoint researchers, in an analysis this week. Back-To-School Attacks The attacks start with phishing messages to students with themed subject lines (such as…

Source

image
Audio .WAV files are the latest hiding place for obfuscated malicious code; a campaign has been spotted in which malicious content was secretly woven throughout the file’s audio data. The embedded code consists of one of three different loader components for decoding and executing malware, according to BlackBerry Cylance threat researchers. Users are likely none the wiser: When played, the WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise. Two payloads were found being delivered in the campaign: A XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell. This suggests “a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network,” the researchers noted in an analysis released on Wednesday. The .WAV files can be delivered in any number of ways, ranging from spam or targeted emails to downloads from the web masquerading as pirated content. Delving deeper into the obfuscated code, the loaders come in three different flavors, according to the analysis: Those using Least Significant Bit (LSB) steganography to decode and execute a PE file; those that employ a rand()-based decoding algorithm to decode and execute a PE file; and those that employ rand()-based decoding algorithm to decode and execute shellcode. “These techniques demonstrate that executable content could theoretically be hidden within any file type, provided…

Source

image
The Docker cloud containerization technology is the target for a just-discovered cryptojacking worm dubbed Graboid. According to researchers at Palo Alto’s Unit 42, the worm, which looks to mine the Monero cryptocurrency, has infected more than 2,000 unsecured Docker Engine (Community Edition) hosts so far, which are in the process of being cleaned. These are located mainly in China and the U.S. The Graboid malware is named after the sandworms in the 1990 Kevin Bacon movie, Tremors. Overall, the initial malicious Docker image has been downloaded more than 10,000 times, with the worm itself downloaded more than 6,500 times, according to Unit 42. Administrators can spot infections by looking for the presence of an image called “gakeaws/nginx” in the image build history. “The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image [containing a Docker client tool used to communicate with other Docker hosts] was first installed to run on the compromised host,” the researchers wrote in a Wednesday post, adding that without any authentication or authorization, a malicious actor can take full control of the Docker Engine and the host. Once the malicious Docker container is up and running, it downloads four different scripts and a list of vulnerable and infected hosts from one of its 15 command-and-control (C2) servers. Then, it randomly picks three targets, installing the worm on the first target, stopping the miner installed on a second…

Source

image
This podcast is brought to you by Code42. With so many malicious adversaries trying to penetrate companies’ networks, companies are forgetting to watch out for a dangerous threat from within their own ranks – insider threats. Threatpost talks to Tim Bandos, vice president of cybersecurity at Digital Guardian, about the top types of insider threats that he’s seen – and how to prevent employees leaving the company from bringing important company secrets out. For direct download click here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/11654654/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Below is a lightly-edited transcript of the conversation. Lindsey O’Donnell: Hi, everyone. Welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell with Threatpost here, and I’m here today with Tim Bandos, the vice president of cybersecurity at Digital Guardian. Tim, thanks so much for joining me today. How are you? Tim Bandos: I’m doing great, Lindsey. Thanks for having me. LO: Great. Well, we’re happy to have you. So today I wanted to delve into the topic of insider threats, which is a big issue for the security industry nowadays. But before we get started, can you tell us a little bit about yourself and your role at Digital Guardian? TB: Sure, yeah. So I’ve been in the…

Source

image
Every security professional knows it’s only a matter of time before their organization is breached. And even though most security-conscious organizations have implemented procedures and products to facilitate the incident response process, many security decision-makers find much more of a challenge in communicating the ongoing IR process to their management. That is not really a surprise; members of upper management are not necessarily security savvy, and the priorities of the security professional do not necessarily align with their priorities. Cynet addresses this challenge with a new Incident Response Reporting for Management Presentation Template, providing a clear view of the IR process and the output of this which is typically presented to upper management. The PPT aims to give CISOs and CIOs an easy and intuitive way to communicate to management the ongoing IR process and its conclusion. By using Cynet’s new IR PPT template, security professionals will be able to more easily show upper management two main points that are of great concern during any incident response: Knowledge that the breach is under control: the main goal of incident response is first and foremost gaining control, achieving transparency of what has taken place and what items still await remediation. This means defining which investigations still must be carried out and what parts of the attack chain may still lie uncovered. Understanding breach cause and implications: When it comes down to it,…

Source

image
Prices have been rising in the last two years for longstanding tools available on the Dark Web to help bad actors commit cyber attacks and fraud, alongside newer innovations that are emerging to bolster crimes like ransomware and SIM swapping, new research has found. Keeping track of these trends in dark-web markets for the tools and data cybercriminals depend on to commit nefarious acts can be a key indicator of where the next attacks will occur, according to a new Flashpoint report, “Pricing Analysis from Goods in the Cybercrime Communities.” “Tracking pricing trends within illicit marketplaces is an important barometer that can inform decision makers about threats and the risk they present to private-sector organizations, public-sector agencies, and law enforcement,” Ian Gray, director of analysis and research at Flashpoint, wrote a Tuesday blog post. Gray, who also wrote the report, said that an understanding of how prices and demand for tools fluctuate in the market not only provides insight into new developments within the cyber-crime landscape, but also can help dictate response efforts. Overall the report shows that while some cybercriminal tools remain fairly consistently priced and reflect the value of the crimes for which they facilitate, other pricing is wildly disparate and seems to follow no particular trend, according to the report. “Prices can vary drastically across the [dark web], and the reasons for the discrepancies remain largely unexplained,” Gray…

Source

image
A woman alleges that a $3 smartphone screen protector allowed unauthorized users to bypass her Samsung Galaxy S10’s fingerprint recognition sensor – giving access to her phone and banking apps. The report ignites concerns around the impact of third-party accessories on mobile biometrics sensors. The U.K. woman, Lisa Neilson, told media reports this weekend that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson’s husband was able to unlock her phone using his fingerprint – even though it wasn’t registered on the device. Worse, the pair found that Neilson’s husband could log into her phone and access various private apps using the fingerprint biometrics security feature. The couple also put the case on Neilson’s sister’s Samsung phone and discovered that the same issue occurred. “We called Samsung because we thought there was a fault with the phone,” Neilson told The Sun this weekend. “The man in customer services took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach.” Samsung did not respond to several requests for comment from Threatpost. “We’re investigating this internally. We recommend all customers to use Samsung authorized accessories,” said a Samsung spokesperson in a media statement provided to The Sun. The fingerprint sensor was one of the centerpieces of Samsung’s Galaxy S10 model, released in March 2018. Samsung said…

Source